| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <01a801c39a99$86fe9190$1e2ea8c0@LUFKIN.DPSOL.COM> From: purdy at tecman.com (Curt Purdy) Subject: [inbox] Re: RE: Linux (in)security > I agree that inherent OS features have much to do with their > security, but must observe that OSs like VMS and OS/400 have > very few security issues <snip> Agreed, I believe OS/400 may be the most secure out-of-the-box system out there. But never underestimate a lousy vendor. My last audit was for a HIPAA client that had all patient records on an AS/400. I thought I didn't have a chance in heck of touching them. On the AS/400 side that was true, with extremely granular access, allowing only certain users to certain data that was unreachable otherwise. However their main application happened to create a world readable/writeable windows share of the records. I simply plugged my laptop into an empty wall socket, browsed the ip network (not even logged into anything) and saw, copied, and wrote to any record of my choosing. I was so shocked it took me a few minutes to realize I just hit a grand slam. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions ---------------------------------------- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke -------------- next part -------------- A non-text attachment was scrubbed... Name: winmail.dat Type: application/ms-tnef Size: 2428 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031024/e017fe92/winmail.bin
Powered by blists - more mailing lists